Installing Gatekeeper
Gatekeeper
Getting started
Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
Installation using Yandex Cloud Marketplace
-
Go to the folder page
and select Managed Service for Kubernetes. -
Click the name of the cluster you need and select the
Marketplace tab. -
Under Application available for installation, select Gatekeeper and click Go to install.
-
Configure the application:
-
Namespace: Select a namespace or create a new one.
-
Application name: Specify the app name.
-
Audit interval: Set the interval between audits in seconds.
0
disables audits. -
Constraint violations limit: Set the maximum number of violations to be logged for each constraint.
-
Only matching resource types: Select this option if you need to validate only those Kubernetes resource types for each constraint that are explicitly specified in the constraint. If no resource types are specified or the option is disabled, all resources will be validated.
-
Create events at audit: Select this option to create a Kubernetes event for each constraint violation detected during the audit, with detailed information about the violation.
-
Events in affected namespace: Select this option if events with violation details should be created in the namespace in which a constraint violation was logged. Only applies if the Create events at audit option is enabled.
If the Events in affected namespace option is disabled, events will be created in the namespace in which Gatekeeper is installed.
-
Allow external data: Select this option to enable experimental support of external data sources.
-
-
Click Install.
-
Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install kubectl
and configure it to work with the created cluster. -
Install Helm
v3.8.0 or higher. -
To install a Helm chart
with Gatekeeper, run the following command:helm pull oci://cr.yandex/yc-marketplace/gatekeeper \ --version 3.12.0 \ --untar && \ helm install \ --namespace <namespace> \ --create-namespace \ gatekeeper ./gatekeeper/
You can redefine optional parameters in the install command using the following key: --set <parameter_name>=<new_value>
.
See the table below for a list of redefinable parameters and their default values:
Parameter name | Description | Default value |
---|---|---|
auditInterval |
Interval between audits in seconds | 60 |
constraintViolationsLimit |
Maximum number of violations to be logged for each constraint | 20 |
auditMatchKindOnly |
Only matching resource types | false |
emitAuditEvents |
Creating events during audit | false |
auditEventsInvolvedNamespace |
Creating events in the affected namespace | false |
enableExternalData |
Experimental support of external data sources | true |